U.S. patent application number 14/557868 was filed with the patent office on 2015-06-11 for identity authentication method and apparatus and server.
The applicant listed for this patent is Xiaolai Li. Invention is credited to Zhibiao Pan, Zhibin Zhang.
Application Number | 20150163065 14/557868 |
Document ID | / |
Family ID | 50125485 |
Filed Date | 2015-06-11 |
United States Patent
Application |
20150163065 |
Kind Code |
A1 |
Pan; Zhibiao ; et
al. |
June 11, 2015 |
IDENTITY AUTHENTICATION METHOD AND APPARATUS AND SERVER
Abstract
The present disclosure provides an identity authentication
method and apparatus and a server. Embodiments may avoid
inconvenience of input of authentication information via the input
device and easy occurrence of errors in the prior art and thereby
improve efficiency and reliability of identity authentication in
the following manner: the authentication end encrypts the obtained
token with a private key to obtain a signature so that the
authentication end can send to the server the first identity
identifier, the token and the signature generated according to the
public key corresponding to the private key such that the server
obtains the second identity identifier according to the token and
the signature, and performs identity authentication according to
the first identity identifier and the second identity
identifier.
Inventors: |
Pan; Zhibiao; (Beijing,
CN) ; Zhang; Zhibin; (Beijing, CN) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Li; Xiaolai |
Beijing |
|
CN |
|
|
Family ID: |
50125485 |
Appl. No.: |
14/557868 |
Filed: |
December 2, 2014 |
Current U.S.
Class: |
713/176 |
Current CPC
Class: |
H04L 63/126 20130101;
H04L 9/3234 20130101; H04L 63/08 20130101; H04L 9/3247
20130101 |
International
Class: |
H04L 9/32 20060101
H04L009/32; H04L 29/06 20060101 H04L029/06 |
Foreign Application Data
Date |
Code |
Application Number |
Dec 5, 2013 |
CN |
201310655393.5 |
Claims
1. An identity authentication method, comprising: an authentication
end obtaining a token sent by a server according to a client's
access; the authentication end encrypting the token with a private
key to obtain a signature; and the authentication end sending a
first identity identifier, the token and the signature to the
server so that the server obtains a second identity identifier
according to the token and the signature, and performs identity
authentication according to the first identity identifier and the
second identity identifier, wherein the first identity identifier
is generated by the authentication end according to a public key
corresponding to the private key.
2. The method according to claim 1 wherein the authentication end
is provided in the client or independently from the client.
3. The method according to claim 1 wherein the step of the
authentication end encrypting the token with a private key to
obtain a signature comprises: the authentication end performing a
Hash operation for the token to obtain a Hash value of the token;
and the authentication end using the private key to encrypt the
Hash value of the token to obtain the signature.
4. The method according to claim 3 wherein the step of the server
obtaining a second identity identifier according to the token and
the signature, and performing identity authentication according to
the first identity identifier and the second identity identifier
comprises: the server performing a Hash operation for the token to
obtain a Hash value of the token; the server obtaining the public
key corresponding to the signature according to the Hash value of
the token and the signature; the server generating the second
identity identifier according to the public key corresponding to
the signature; and the server performing an operation of passing
the identity authentication if the second identity identifier
accords with the first identity identifier.
5. The method according to claim 1 wherein before the
authentication end encrypts the token with a private key to obtain
the signature, the method further comprises: the authentication
end, according to a website to be accessed, selecting a set of
secret key information as the private key and the public key
corresponding to the private key.
6. The method according to claim 1 wherein the step of the server
performing an operation of passing the identity authentication
comprises: the server obtaining a user account corresponding to the
first identity identifier according to the first identity
identifier; and the server sending service data related to the user
account to the client.
7. An identity authentication apparatus, comprising: an obtaining
unit configured to obtain a token sent by a server according to a
client's access behavior; a signing unit configured to encrypt the
token with a private key to obtain a signature; and a sending unit
configured to send a first identity identifier, the token and the
signature to the server so that the server obtains a second
identity identifier according to the token and the signature, and
performs identity authentication according to the first identity
identifier and the second identity identifier; wherein the first
identity identifier is generated according to a public key
corresponding to the private key.
8. The identity authentication apparatus according to claim 7
wherein the authentication apparatus is provided in the client or
independently from the client.
9. The identity authentication apparatus according to claim 7
wherein the signing unit is configured to perform a Hash operation
for the token to obtain a Hash value of the token; and use the
private key to encrypt the Hash value of the token to obtain the
signature.
10. The identity authentication apparatus according to claim 7
wherein the apparatus further comprises a selection unit configured
to, according to a website to be accessed, select a set of secret
key information as the private key and the public key corresponding
to the private key.
11. A server, comprising: an allocating unit configured to allocate
a token to a client according to the client's access behavior; a
transmitting unit configured to transmit the token to an
authentication end so that the authentication end uses the private
key to encrypt the token to obtain a signature; a receiving unit
configured to receive the first identity identifier, the token and
the signature transmitted by the authentication end, wherein the
first identity identifier is generated by the authentication end
according to the public key corresponding to the private key; and
an authentication unit configured to obtain a second identity
identifier according to the token and the signature, and perform
identity authentication according to the first identity identifier
and the second identity identifier.
12. The server according to claim 11 wherein the authentication
unit is configured to perform a Hash operation for the token to
obtain a Hash value of the token; obtain the public key
corresponding to the signature according to the Hash value of the
token and the signature; generate the second identity identifier
according to the public key corresponding to the signature; and
perform an operation of passing the identity authentication if the
second identity identifier accords with the first identity
identifier.
13. The server according to claim 11 wherein the authentication
unit is configured to obtain a user account corresponding to the
first identity identifier according to the first identity
identifier; and send service data related to the user account to
the client.
Description
BACKGROUND
[0001] 1. Technical Field
[0002] The present disclosure relates to authentication technology,
and particularly to an identity authentication method and apparatus
and a server.
[0003] 2. Description of the Related Art
[0004] As communication technology develops, a terminal integrates
more and more functions so that a system function list of the
terminal includes more and more corresponding applications such as
applications installed in computers and applications (APP)
installed in a third-party smart phone. Upon running these
applications, the terminal needs to perform identify authentication
in some cases, for example, posting comments, or using some
designated services or logging in a personal account. In the prior
art, a user uses an input device to enter a user name and a
password, a client transmits the user name and password to a
server, and the server may perform authentication for the user name
and password transmitted by the client to achieve identity
authentication of the client.
BRIEF SUMMARY
[0005] Operations of entering authentication information such as
the user name and password via the input device, for example, a
switching operation between English and Chinese, and a switching
operation between capitalization and lower case of letters, are
very inconvenient and probably cause errors and thereby cause
degradation of efficiency and reliability of identity
authentication.
[0006] At least some embodiments may provide an identity
authentication method and apparatus and a server to improve
efficiency and reliability of identity authentication.
[0007] In an embodiment, there is provided an identity
authentication method, comprising the following steps:
[0008] an authentication end obtaining a token sent by a server
according to a client's access;
[0009] the authentication end encrypting the token with a private
key to obtain a signature;
[0010] the authentication end sending a first identity identifier,
the token and the signature to the server so that the server
obtains a second identity identifier according to the token and the
signature, and performs identity authentication according to the
first identity identifier and the second identity identifier;
wherein the first identity identifier is generated by the
authentication end according to a public key corresponding to the
private key.
[0011] In an embodiment, there is further provided an
implementation mode, wherein the authentication end is provided in
the client or independently from the client.
[0012] In an embodiment, there is further provided an
implementation mode, wherein the step of the authentication end
encrypting the token with a private key to obtain a signature
comprises:
[0013] the authentication end performing a Hash operation for the
token to obtain a Hash value of the token;
[0014] the authentication end using the private key to encrypt the
Hash value of the token to obtain the signature.
[0015] In an embodiment, the step of the server obtaining a second
identity identifier according to the token and the signature, and
performing identity authentication according to the first identity
identifier and the second identity identifier comprises:
[0016] the server performing a Hash operation for the token to
obtain a Hash value of the token;
[0017] the server obtaining the public key corresponding to the
signature according to the Hash value of the token and the
signature;
[0018] the server generating the second identity identifier
according to the public key corresponding to the signature;
[0019] the server performing an operation of passing the identity
authentication if the second identity identifier accords with the
first identity identifier.
[0020] In an embodiment, before the authentication end encrypts the
token with a private key to obtain the signature, the method
further comprises:
[0021] the authentication end, according to a website to be
accessed, selects a set of secret key information as the private
key and the public key corresponding to the private key.
[0022] In an embodiment, the step of the server performing an
operation of passing the identity authentication comprises:
[0023] the server obtaining the user account corresponding to the
first identity identifier according to the first identity
identifier;
[0024] the server sending service data related to the user account
to the client.
[0025] In an embodiment, there is provided an identity
authentication apparatus, comprising:
[0026] an obtaining unit configured to obtain a token sent by a
server according to a client's access behavior;
[0027] a signing unit configured to encrypt the token with a
private key to obtain a signature;
[0028] a sending unit configured to send a first identity
identifier, the token and the signature to the server so that the
server obtains a second identity identifier according to the token
and the signature, and performs identity authentication according
to the first identity identifier and the second identity
identifier; wherein the first identity identifier is generated
according to a public key corresponding to the private key.
[0029] In an embodiment, the authentication apparatus is provided
in the client or independently from the client.
[0030] In an embodiment, the signing unit is configured to
[0031] perform a Hash operation for the token to obtain a Hash
value of the token;
[0032] use the private key to encrypt the Hash value of the token
to obtain the signature.
[0033] In an embodiment, the apparatus further comprises a
selection unit configured to, according to a website to be
accessed, select a set of secret key information as the private key
and the public key corresponding to the private key.
[0034] In an embodiment, a server comprises:
[0035] an allocating unit configured to allocate a token to a
client according to the client's access behavior;
[0036] a transmitting unit configured to transmit the token to the
authentication end so that the authentication end uses the private
key to encrypt the token to obtain a signature;
[0037] a receiving unit configured to receive the first identity
identifier, the token and the signature transmitted by the
authentication end, wherein the first identity identifier is
generated by the authentication end according to the public key
corresponding to the private key;
[0038] an authentication unit configured to obtain a second
identity identifier according to the token and the signature, and
perform identity authentication according to the first identity
identifier and the second identity identifier.
[0039] In an embodiment, the authentication unit is configured
to
[0040] perform a Hash operation for the token to obtain a Hash
value of the token;
[0041] obtain the public key corresponding to the signature
according to the Hash value of the token and the signature;
[0042] generate the second identity identifier according to the
public key corresponding to the signature;
[0043] perform an operation of passing the identity authentication
if the second identity identifier accords with the first identity
identifier.
[0044] In an embodiment, the authentication unit is configured
to
[0045] obtain the user account corresponding to the first identity
identifier according to the first identity identifier;
[0046] send service data related to the user account to the
client.
[0047] An embodiment may facilitate avoiding inconvenience of input
of authentication information via the input device and easy
occurrence of errors in the prior art and thereby improve
efficiency and reliability of identity authentication in the
following manner: the authentication end encrypts the obtained
token with a private key to obtain a signature so that the
authentication end can send to the server the first identity
identifier, the token and the signature generated according to the
public key corresponding to the private key such that the server
obtains the second identity identifier according to the token and
the signature, and performs identity authentication according to
the first identity identifier and the second identity
identifier.
[0048] In an embodiment, no password is transmitted during
communication between the authentication end and the server, which
can avoid account security issues caused by leakage of
authentication information and further improves security of
identity authentication.
[0049] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
[0050] To illustrate the technical solutions in the example
embodiments more clearly, accompanying drawings that need to be
used in the description of the embodiments or the prior art are
briefly introduced below. Obviously, the accompanying drawings in
the following description are merely some embodiments. Persons of
ordinary skill in the art may further obtain other drawings
according to these accompanying drawings without making creative
efforts.
[0051] FIG. 1 illustrates a flowchart of an identity authentication
method according to an embodiment;
[0052] FIG. 2 illustrates a flowchart of an embodiment of an
integrated arrangement of an authentication end and a client in the
embodiment as illustrated in FIG. 1;
[0053] FIG. 3 illustrates a flowchart of an embodiment of a
separate arrangement of the authentication end and the client in
the embodiment as illustrated in FIG. 1;
[0054] FIG. 4 illustrates a structural schematic view of an
identity authentication apparatus according to an embodiment;
[0055] FIG. 5 illustrates a structural schematic view of an
identity authentication apparatus according to an embodiment;
[0056] FIG. 6 illustrates a structural schematic view of a server
according to an embodiment.
DETAILED DESCRIPTION
[0057] To make the purposes, technical solutions, and advantages of
the embodiments more clearly, the technical solutions in the
embodiments are clearly and completely described with the
accompanying drawings in the example embodiments. Evidently, the
embodiments to be described are part of rather than all of the
embodiments. All other embodiments obtained by persons of ordinary
skill in the art based on the embodiments of the present disclosure
without making creative efforts shall fall within the protection
scope of the present disclosure.
[0058] Noticeably, terminals involved in embodiments may include,
but are not limited to mobile phones, personal digital assistants
PDAs, wireless handheld devices, personal computers, portable
computers, MP3 player and MP4 players.
[0059] In addition, the term "and/or" herein merely describes an
association relationship between associated objects, indicating
that three types of relationships may exist, for example, A and/or
B may represent three cases where only A exists, both A and B
exist, and only B exists. In addition, the symbol "/" herein
generally represents an "or" relationship between associated
objects before and after "/".
[0060] FIG. 1 illustrates a flowchart of an identity authentication
method according to an embodiment.
[0061] Step 101: an authentication end obtains a token sent by a
server according to a client's access.
[0062] The token may be a sole a character string and is used to
identify the client. Once the identity authentication passes, the
client carries this token to indicate its identity during
subsequent communication with the server.
[0063] Step 102: the authentication end encrypts the token with a
private key to obtain a signature.
[0064] Step 103: the authentication end sends a first identity
identifier, the token and the signature to the server so that the
server obtains a second identity identifier according to the token
and the signature, and performs identity authentication according
to the first identity identifier and the second identity
identifier; wherein the first identity identifier is generated by
the authentication end according to a public key corresponding to
the private key.
[0065] The authentication end may send to the server HyperText
Transfer Protocol HTTP GET request or HTTP POST request to carry
the first identity identifier, the token and the signature. It may
be appreciated that the HTTP GET request or HTTP POST request may
further carry position information of the terminal where the client
is located, for example, longitude information and latitude
information.
[0066] It may be appreciated that the client may be an application
installed on the terminal, or may be a webpage of a browser, so
long as it can perform services that can be provided by the server
to provide objective existence forms of corresponding services. The
present embodiment does not limit this.
[0067] As such, inconvenience of input of authentication
information via the input device and easy occurrence of errors in
the prior art may be avoided and thereby efficiency and reliability
of identity authentication may be improved in the following manner:
the authentication end encrypts the obtained token with a private
key to obtain a signature so that the authentication end can send
to the server the first identity identifier, the token and the
signature generated according to the public key corresponding to
the private key such that the server obtains the second identity
identifier according to the token and the signature, and performs
identity authentication according to the first identity identifier
and the second identity identifier.
[0068] In an embodiment, no password is transmitted during
communication between the authentication end and the server, which
may avoid account security issues caused by leakage of
authentication information and further improves security of
identity authentication.
[0069] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0070] In an embodiment, in step 102, the authentication end may
perform Hash operations for the token to obtain a Hash value of the
token. However, the authentication end may use the private key to
encrypt the Hash value of the token to obtain the signature.
[0071] Correspondingly, after step 103, the server may perform Hash
operations for the token to obtain the Hash value of the token, and
furthermore, the server may obtain the public key corresponding to
the signature according to the Hash value of the token and the
signature. Then the server may generate the second identity
identifier according to the public key corresponding to the
signature. If the second identity identifier accords with the first
identity identifier, the server may perform an operation of passing
the identity authentication.
[0072] In an embodiment, when the user executes registration
operation for the first time or performs a certain identity
authentication operation, the server may record the user's first
identity identifier and user account and associate them to maintain
a correspondence relationship between the first identity identifier
and the user account. The server may obtain the user account
corresponding to the first identity identifier according to the
first identity identifier. Then, the server may send service data
related to the user account to the client.
[0073] In an embodiment, before step 102, the authentication end,
according to a website to be accessed, selects a set of secret key
information as the private key and the public key corresponding to
the private key. For example, if the website to be accessed is sina
microblog, the authentication end may select a set of secret key
information A, or for example, if the website to be accessed is
Taobao, the authentication end may select a set of secrete key
information B.
[0074] In an embodiment, before this, a plurality of sets of secret
key information may be pre-generated for selection by the
authentication end according to the website to be accessed. As
such, the authentication end may uniformly manage all the user's
accounts and the user himself need not manage the accounts
respectively, which can further improve efficiency of identity
authentication. To further improve security of identity
authentication, high-security encryption and decryption algorithm
may be further employed to encrypt the plurality of sets of secret
key information so that the authentication end only needs to
maintain one password to achieve uniform management of all the
user's accounts.
[0075] In an embodiment, the authentication end may be set in a
local client. In this way, since the authentication end is
integrated with the client, identity authentication operation may
be executed automatically during the client's running to further
improve the efficiency of the identity authentication.
[0076] For example, the client uses a browser to open a page of a
target website to visit the target website, a server of the target
website receives an access request sent from the client, detects
that the access request does not carry a token, allocates a token T
to the client and then sends to the client a Uniform Resource
Locator URL sent back from the token T and authentication data. The
client records the token T, for example in a Cookie of the browser,
for subsequent communication with the server.
[0077] As shown in FIG. 2, in an embodiment the following
operations are performed:
[0078] Step 201: The client generates asymmetrical keys, namely, a
public key A and a private B according to asymmetric encryption
algorithm.
[0079] Step 202: The client generates the user's identity
identifier A1 according to the public key A.
[0080] For example, the client performs a hash operation for the
public key A to obtain the identity identifier A1.
[0081] Step 203: After obtaining the token T, the client performs a
hash operation for the token T to obtain a hash value T1 of the
token and uses the private key B to encrypt the hash value T1 of
the token to obtain a signature S.
[0082] Step 204: The client sends the identity identifier A1, the
token T and the signature S to the server according to the URL sent
back from the authentication data.
[0083] Step 205: The server performs a hash operation for the token
T to obtain the hash value T1 of the token, obtains the public key
A corresponding to the signature S according to the hash value T1
of the token and the signature S, and generates the user's identity
identifier A2 according to the public key A corresponding to the
signature S.
[0084] Step 206: The server compares the identity identifier A2
with the identity identifier A1, and marks the token T as having
passed identity authentication if the identity identifier A2
accords with the identity identifier A1.
[0085] Alternatively, the server may further send to the client an
indication of the passing of identity authentication.
[0086] Step 207: The client uses the token T to communicate with
the server.
[0087] In an embodiment, the client may periodically attempt to use
the token T to communicate with the server, and may successfully
communicate with the server once the server marks the token T as
having passed identity authentication. Alternatively, after
receiving an indication that identity authentication has passed,
the client uses the token T to communicate with the server.
[0088] So far, the server may perform an operation of passing the
identity authentication. For example, the server may, according to
the identity identifier A1, obtain a user account corresponding to
the identity identifier A1 and send to the client service data
related to the user account.
[0089] In an embodiment, the authentication end may further be
provided independently from a local client. As such, the
authentication end and the client are provided separately, key data
such as the private key and the public key on which the identity
authentication relies on may separate from the client so that the
security of identity authentication may be further improved.
[0090] For example, the client uses a browser to open a page of a
target website to visit the target website, a server of the target
website receives an access request sent from the client, detects
that the access request does not carry a token, allocates a token T
to the client and then sends to the client a Uniform Resource
Locator URL sent back from the token T and authentication data in a
QR code. The client records the token T, for example in a Cookie of
the browser, for subsequent communication with the server. The
client exhibits the received QR code in the page. As shown in FIG.
3, the following operations may be performed:
[0091] Step 301: The authentication end generates asymmetrical
keys, namely, a public key A and a private B according to
asymmetric encryption algorithm.
[0092] Step 302: The authentication end generates the user's
identity identifier A1 according to the public key A.
[0093] For example, the authentication end performs hash operation
for the public key A to obtain the identity identifier A1.
[0094] Step 303: the authentication end, according to the QR code
exhibited by the client, obtains the URL sent back from the token T
and the authentication data.
[0095] Step 304: the authentication end performs hash operation for
the token T to obtain a hash value T1 of the token and uses the
private key B to encrypt the hash value T1 of token to obtain a
signature S.
[0096] Step 305: The authentication end sends the identity
identifier A1, the token T and the signature S to the server
according to the URL sent back from the authentication data.
[0097] Step 306: The server performs hash operation for the token T
to obtain the hash value T1 of the token, obtains the public key A
corresponding to the signature S according to the hash value T1 of
the token and the signature S, and generates the user's identity
identifier A2 according to the public key A corresponding to the
signature S.
[0098] Step 307: The server compares the identity identifier A2
with the identity identifier A1, and marks the token T as having
passed identity authentication if the identity identifier A2
accords with the identity identifier A1.
[0099] Step 308: The client uses the token T to communicate with
the server.
[0100] In an embodiment, the client may periodically attempt to use
the token T to communicate with the server, and may successfully
communicate with the server once the server marks the token T as
having passed identity authentication.
[0101] So far, the server may perform an operation of passing the
identity authentication. For example, the server may, according to
the identity identifier A1, obtain a user account corresponding to
the identity identifier A1 and send to the client service data
related to the user account.
[0102] In this embodiment, the authentication end encrypts the
obtained token with a private key to obtain a signature so that the
authentication end can send to the server the first identity
identifier, the token and the signature generated according to the
public key corresponding to the private key such that the server
obtains the second identity identifier according to the token and
the signature, and performs identity authentication according to
the first identity identifier and the second identity identifier.
This can avoid inconvenience of input of authentication information
via the input device and easy occurrence of errors in the prior art
and thereby improves efficiency and reliability of identity
authentication.
[0103] In an embodiment, no password is transmitted during
communication between the authentication end and the server, which
can avoid account security issues caused by leakage of
authentication information and further improves security of
identity authentication.
[0104] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0105] The above-mentioned method embodiments all are described as
a combination of a series of actions for the sake of simple
description, but those skilled in the art should know that the
present disclosure is not limited to the described order of actions
because some steps may be performed in other order or
simultaneously according to various embodiments.
[0106] The above embodiments each are described with a different
focus, and a portion not detailed in a certain embodiment may find
relevant depictions in other embodiments.
[0107] FIG. 4 illustrates a structural schematic view of an
identity authentication apparatus according to an embodiment. The
identity authentication apparatus according to the present
embodiment may comprise an obtaining unit 41, a signing unit 42 and
a sending unit 43, wherein the obtaining unit 41 is configured to
obtain a token sent by a server according to a client's access
behavior. The token may be a sole a character string and is used to
identify the client. Once the identity authentication passes, the
client carries this token to indicate its identity during
subsequent communication with the server. The signing unit 42 is
configured to encrypt the token with a private key to obtain a
signature. The sending unit 43 is configured to send a first
identity identifier, the token and the signature to the server so
that the server obtains a second identity identifier according to
the token and the signature, and performs identity authentication
according to the first identity identifier and the second identity
identifier; wherein the first identity identifier is generated
according to a public key corresponding to the private key. The
sending unit 43 may send to the server HyperText Transfer Protocol
HTTP GET request or HTTP POST request to carry the first identity
identifier, the token and the signature. It may be appreciated that
the HTTP GET request or HTTP POST request may further carry
position information of the terminal where the client is located,
for example, longitude information and latitude information.
[0108] It may be appreciated that the client may be an application
installed on the terminal, or may be a webpage of a browser, so
long as it can perform services that can be provided by the server
to provide objective existence forms of corresponding services. The
present embodiment does not limit this.
[0109] In an embodiment, the signing unit encrypts the token
obtained by the obtaining unit with a private key to obtain a
signature so that the sending unit can send to the server the first
identity identifier, the token and the signature generated
according to the public key corresponding to the private key such
that the server obtains the second identity identifier according to
the token and the signature, and performs identity authentication
according to the first identity identifier and the second identity
identifier. This can avoid inconvenience of input of authentication
information via the input device and easy occurrence of errors in
the prior art and thereby improves efficiency and reliability of
identity authentication.
[0110] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0111] In an embodiment, the signing unit 42 may perform Hash
operations for the token to obtain a Hash value of the token; and
use the private key to encrypt the Hash value of the token to
obtain the signature.
[0112] Correspondingly, the server may perform Hash operations for
the token to obtain the Hash value of the token, and furthermore,
the server may obtain the public key corresponding to the signature
according to the Hash value of the token and the signature. Then
the server may generate the second identity identifier according to
the public key corresponding to the signature. If the second
identity identifier accords with the first identity identifier, the
server may perform an operation of passing the identity
authentication.
[0113] In an embodiment, when the user executes registration
operation for the first time or performs a certain identity
authentication operation, the server may record the user's first
identity identifier and user account and associate them to maintain
a correspondence relationship between the first identity identifier
and the user account. The server may obtain the user account
corresponding to the first identity identifier according to the
first identity identifier. Then, the server may send service data
related to the user account to the client.
[0114] In an embodiment, as shown in FIG. 5, the identity
authentication apparatus according to the present embodiment may
further comprise a selecting unit 51 configured to, according to a
website to be accessed, selects a set of secret key information as
the private key and the public key corresponding to the private
key. For example, if the website to be accessed is sina microblog,
the selecting unit 51 may select a set of secret key information A,
or for example, if the website to be accessed is Taobao, the
selecting unit 51 may select a set of secrete key information
B.
[0115] The identity authentication apparatus according to an
embodiment may pre-generate a plurality of sets of secret key
information for selection according to the website to be accessed.
As such, the identity authentication apparatus may uniformly manage
all the user's accounts and the user himself need not manage the
accounts respectively, which can further improve efficiency of
identity authentication. To further improve security of identity
authentication, the identity identification apparatus may further
employ high-security encryption and decryption algorithm to encrypt
the plurality of sets of secret key information so that the
identity identification device only needs to maintain one password
to achieve uniform management of all the user's accounts.
[0116] In an embodiment, the identity authentication device may be
set in a local client. In this way, since the identity
authentication device is integrated with the client, identity
authentication operation may be executed automatically during the
client's running to further improve the efficiency of the identity
authentication.
[0117] In an embodiment, the identity authentication device may
further be provided independently from a local client. As such, the
identity authentication device and the client are provided
separately, key data such as the private key and the public key on
which the identity authentication relies on may separate from the
client so that the security of identity authentication may be
further improved.
[0118] In an embodiment, the signing unit encrypts the token
obtained by the obtaining unit with a private key to obtain a
signature so that the sending unit can send to the server the first
identity identifier, the token and the signature generated
according to the public key corresponding to the private key such
that the server obtains the second identity identifier according to
the token and the signature, and performs identity authentication
according to the first identity identifier and the second identity
identifier. This can avoid inconvenience of input of authentication
information via the input device and easy occurrence of errors in
the prior art and thereby improves efficiency and reliability of
identity authentication.
[0119] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0120] FIG. 6 illustrates a structural schematic view of a server
according to an embodiment. The server of the present embodiment
may comprise an allocating unit 61, a transmitting unit 62, a
receiving unit 63 and an authentication unit 64, wherein the
allocating unit 61 is configured to allocate a token to a client
according to the client's access behavior. The token may be a sole
a character string and is used to identify the client. Once the
identity authentication passes, the client carries this token to
indicate its identity during subsequent communication with the
server. The transmitting unit 62 is configured to transmit the
token to the authentication end so that the authentication end uses
the private key to encrypt the token to obtain a signature. The
receiving unit 63 is configured to receive the first identity
identifier, the token and the signature transmitted by the
authentication end, wherein the first identity identifier is
generated by the authentication end according to the public key
corresponding to the private key. The receiving unit 63 is
configured to send to the server HyperText Transfer Protocol HTTP
GET request or HTTP POST request to carry the first identity
identifier, the token and the signature. It may be appreciated that
the HTTP GET request or HTTP POST request may further carry
position information of the terminal where the client is located,
for example, longitude information and latitude information. The
authentication unit 64 is configured to obtain a second identity
identifier according to the token and the signature, and perform
identity authentication according to the first identity identifier
and the second identity identifier.
[0121] It may be appreciated that the client may be an application
installed on the terminal, or may be a webpage of a browser, so
long as it can perform services that can be provided by the server
to provide objective existence forms of corresponding services. The
present embodiment does not limit this.
[0122] In an embodiment, inconvenience of input of authentication
information via the input device and easy occurrence of errors in
the prior art may be avoided and efficiency and reliability of
identity authentication may thereby be improved in the following
manner: the allocating unit allocates a token to the client
according to the client's access behavior, and then the
transmitting unit transmits the token to the authentication end so
that the authentication end uses the private key to encrypt the
token to obtain a signature, and the receiving unit receives the
first identity identifier, the token and the signature transmitted
by the authentication end and generated according to the public key
corresponding to the private key so that the authentication unit
obtains the second identity identifier according to the token and
the signature, and performs identity authentication according to
the first identity identifier and the second identity
identifier.
[0123] In an embodiment, no password is transmitted during
communication between the authentication end and the server, which
can avoid account security issues caused by leakage of
authentication information and further improves security of
identity authentication.
[0124] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0125] In an embodiment, the authentication end may perform Hash
operations for the token to obtain a Hash value of the token.
However, the authentication end may use the private key to encrypt
the Hash value of the token to obtain the signature.
[0126] In an embodiment, the authentication unit 64 may perform
Hash operations for the token to obtain the Hash value of the
token; obtain the public key corresponding to the signature
according to the Hash value of the token and the signature;
generate the second identity identifier according to the public key
corresponding to the signature; and perform an operation of passing
the identity authentication if the second identity identifier
accords with the first identity identifier.
[0127] In an embodiment, the authentication unit 64 may, when the
user executes registration operation for the first time or performs
a certain identity authentication operation, record the user's
first identity identifier and user account and associate them to
maintain a correspondence relationship between the first identity
identifier and the user account. The authentication unit 64 may
obtain the user account corresponding to the first identity
identifier according to the first identity identifier, and then
send service data related to the user account to the client.
[0128] In an embodiment, the authentication end, according to a
website to be accessed, selects a set of secret key information as
the private key and the public key corresponding to the private
key. For example, if the website to be accessed is sina microblog,
the authentication end may select a set of secret key information
A, or for example, if the website to be accessed is Taobao, the
authentication end may select a set of secrete key information
B.
[0129] In an embodiment, before this, a plurality of sets of secret
key information may be pre-generated for selection by the
authentication end according to the website to be accessed. As
such, the authentication end may uniformly manage all the user's
accounts and the user himself need not manage the accounts
respectively, which can further improve efficiency of identity
authentication. To further improve security of identity
authentication, high-security encryption and decryption algorithm
may be further employed to encrypt the plurality of sets of secret
key information so that the authentication end only needs to
maintain one password to achieve uniform management of all the
user's accounts.
[0130] In an embodiment, the authentication end may be set in a
local client. In this way, since the authentication end is
integrated with the client, identity authentication operation may
be executed automatically during the client's running to further
improve the efficiency of the identity authentication.
[0131] In an embodiment, the authentication end may further be
provided independently from a local client. As such, the
authentication end and the client are provided separately, key data
such as the private key and the public key on which the identity
authentication relies on may separate from the client so that the
security of identity authentication may be further improved.
[0132] In this embodiment, inconvenience of input of authentication
information via the input device and easy occurrence of errors in
the prior art may be avoided and efficiency and reliability of
identity authentication may thereby be improved in the following
manner: the allocating unit allocates a token to the client
according to the client's access behavior, and then the
transmitting unit transmits the token to the authentication end so
that the authentication end uses the private key to encrypt the
token to obtain a signature, and the receiving unit receives the
first identity identifier, the token and the signature transmitted
by the authentication end and generated according to the public key
corresponding to the private key so that the authentication unit
obtains the second identity identifier according to the token and
the signature, and performs identity authentication according to
the first identity identifier and the second identity
identifier.
[0133] In an embodiment, no password is transmitted during
communication between the authentication end and the server, which
can avoid account security issues caused by leakage of
authentication information and further improves security of
identity authentication.
[0134] In an embodiment, the server need not store the password,
which can avoid account security issues caused by leakage of
authentication information and further improve security of identity
authentication.
[0135] Those skilled in the art may clearly understand that, for
ease and concision of description, for a specific working process
of the foregoing described system, apparatus, and unit, reference
may be made to a corresponding process in the foregoing method
embodiments, and details are not repeatedly described here.
[0136] In the several embodiments provided in this application, it
should be understood that, the disclosed system, apparatus, and
method may be implemented in other manners. For example, the
foregoing described apparatus embodiment is only exemplary. For
example, dividing of the units is only a type of dividing of
logical functions. In actual implementation, there may be other
dividing methods. For example, a plurality of units or components
may be combined or integrated into another system, or some features
may be ignored, or may not be executed. In addition, the shown or
discussed mutual coupling, or direct coupling, or communication
connection may be implemented through some interfaces, and indirect
coupling or communication connection of apparatuses or units may be
electrical, mechanical, or in other forms.
[0137] The units that are described as separate components may be
or may not be physically separated, and the components shown as
units may be or may not be physical units, that is, may be located
at one place, or may also be distributed on multiple network units.
Part of or all of the units may be selected, according to an actual
need, to achieve the purposes of the solutions in the
embodiments.
[0138] In addition, function units in each embodiment may be
integrated into a processing unit, and each unit may also exist
independently and physically, and two or more than two units may
also be integrated into one unit. The foregoing integrated unit may
be implemented in the form of hardware, and may also be implemented
in the form of hardware plus a software function unit.
[0139] The foregoing integrated unit implemented in the form of the
software function unit may be stored in a computer readable storage
medium. The software function unit is stored in a storage medium,
including several instructions used for a computer device (which
may be a personal computer, a server, or a network device, and so
on) and a processor to execute part of the steps of the method in
various embodiments. The foregoing storage medium includes various
media that can store procedure codes, such as a USB disk, a
portable hard disk, a read only memory (Read-Only Memory,
abbreviated as ROM), a random access memory (Random Access Memory,
abbreviated as RAM), a magnetic disk, or a compact disk.
[0140] Finally, it should be noted that: the foregoing embodiments
are only intended to explain the technical solutions in the present
disclosure, but not intended to limit it. Although the present
disclosure includes descriptions in detail with reference to the
foregoing embodiments, persons of ordinary skill in the art should
understand that, they may still make modifications to the technical
solutions recorded in the foregoing embodiments, or equivalent
replacements to part of the technical features in the technical
solutions recorded in the foregoing embodiments; however, these
modifications or replacements do not make the nature of the
corresponding technical solutions depart from the spirit and scope
of the technical solutions in the embodiments.
[0141] The various embodiments described above can be combined to
provide further embodiments. Aspects of the embodiments can be
modified, if necessary to employ concepts of the various patents,
applications and publications to provide yet further
embodiments.
[0142] These and other changes can be made to the embodiments in
light of the above-detailed description. In general, in the
following claims, the terms used should not be construed to limit
the claims to the specific embodiments disclosed in the
specification and the claims, but should be construed to include
all possible embodiments along with the full scope of equivalents
to which such claims are entitled. Accordingly, the claims are not
limited by the disclosure.
* * * * *